diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java index 20240b2620989..c9eec35e6c9b2 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESIntegTestCase.java @@ -57,6 +57,7 @@ import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.support.DefaultShardOperationFailedException; import org.elasticsearch.action.support.IndicesOptions; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.AdminClient; import org.elasticsearch.client.Client; import org.elasticsearch.client.Requests; @@ -2256,4 +2257,8 @@ public static Index resolveIndex(String index) { public static boolean inFipsJvm() { return Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)); } + + public static boolean inFipsSunJsseJvm() { + return inFipsJvm() && JavaVersion.current().getVersion().get(0) == 8; + } } diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index 5566f31cca2ac..76b2718275069 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -1391,6 +1391,10 @@ public static boolean inFipsJvm() { return Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)); } + public static boolean inFipsSunJsseJvm() { + return inFipsJvm() && JavaVersion.current().getVersion().get(0) == 8; + } + /** * Returns a unique port range for this JVM starting from the computed base port */ diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java index e3da8a652c8fd..5a613c284ac0a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/LocalStateCompositeXPackPlugin.java @@ -93,6 +93,7 @@ import java.util.stream.Collectors; import static java.util.stream.Collectors.toList; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; public class LocalStateCompositeXPackPlugin extends XPackPlugin implements ScriptPlugin, ActionPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin, DiscoveryPlugin, MapperPlugin, AnalysisPlugin, PersistentTaskPlugin, EnginePlugin { @@ -153,12 +154,17 @@ public Collection createComponents(Client client, ClusterService cluster NamedXContentRegistry xContentRegistry, Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry) { List components = new ArrayList<>(); + // This is a hack, but the settings we add in #additionalSettings() are not added to the environment instance + // (in org.elasticsearch.node.Node) which is passed in `createComponents` of each of the plugins. So the environment + // we get here wouldn't have the additional setting. This is a known issue, and once it is resolved, the code here + // can be adjusted accordingly + final Environment updatedEnvironment = getUpdatedEnvironment(environment); components.addAll(super.createComponents(client, clusterService, threadPool, resourceWatcherService, scriptService, - xContentRegistry, environment, nodeEnvironment, namedWriteableRegistry)); + xContentRegistry, updatedEnvironment, nodeEnvironment, namedWriteableRegistry)); filterPlugins(Plugin.class).stream().forEach(p -> components.addAll(p.createComponents(client, clusterService, threadPool, resourceWatcherService, scriptService, - xContentRegistry, environment, nodeEnvironment, namedWriteableRegistry)) + xContentRegistry, updatedEnvironment, nodeEnvironment, namedWriteableRegistry)) ); return components; } @@ -476,4 +482,15 @@ private List filterPlugins(Class type) { .collect(Collectors.toList()); } + private Environment getUpdatedEnvironment(Environment existingEnvironment){ + if (inFipsSunJsseJvm()) { + Settings additionalSettings = Settings.builder() + .put(existingEnvironment.settings()) + .put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false) + .build(); + return new Environment(additionalSettings, existingEnvironment.configFile()); + } + return existingEnvironment; + } + } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java index 9d6d643593976..00ede13a50db0 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/TestXPackTransportClient.java @@ -18,7 +18,7 @@ import java.util.concurrent.TimeUnit; import static org.elasticsearch.test.ESTestCase.getTestTransportPlugin; -import static org.elasticsearch.test.ESTestCase.inFipsJvm; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; /** * TransportClient.Builder that installs the XPackPlugin by default. @@ -55,7 +55,7 @@ public void close() { private static Settings possiblyDisableTlsDiagnostic(Settings settings) { Settings.Builder builder = Settings.builder().put(settings); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder.build(); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java index fd7315d7457c2..03893634c7c69 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/transport/ProfileConfigurationsTests.java @@ -11,6 +11,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.VerificationMode; @@ -65,10 +66,14 @@ private Settings.Builder getBaseSettings() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - return Settings.builder() + Settings.Builder builder = Settings.builder() .setSecureSettings(secureSettings) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystore.toString()); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index 99df5c641f498..217ae700a4854 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -35,6 +35,7 @@ import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.Before; @@ -108,7 +109,7 @@ public void testReloadingKeyStore() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.jks"), updatedKeystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) @@ -166,7 +167,7 @@ public void testPEMKeyConfigReloading() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) @@ -175,7 +176,7 @@ public void testPEMKeyConfigReloading() throws Exception { .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? null : - TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); // Load HTTPClient once. Client uses a keystore containing testnode key/cert as a truststore try (CloseableHttpClient client = getSSLClient(Collections.singletonList(certPath))) { final Consumer keyMaterialPreChecks = (context) -> { @@ -325,7 +326,7 @@ public void testReloadingKeyStoreException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"), keystorePath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", keystorePath) .setSecureSettings(secureSettings) @@ -376,7 +377,7 @@ public void testReloadingPEMKeyConfigException() throws Exception { Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.key", keyPath) .put("xpack.security.transport.ssl.certificate", certPath) @@ -519,7 +520,7 @@ private Settings.Builder baseKeystoreSettings(Path tempDir, MockSecureSettings s } secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - return Settings.builder() + return getSettingsBuilder() .put("xpack.security.transport.ssl.key", keyPath.toString()) .put("xpack.security.transport.ssl.certificate", certPath.toString()) .setSecureSettings(secureSettings); @@ -632,6 +633,14 @@ private static CloseableHttpClient createHttpClient(SSLContext sslContext) { .build(); } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } + /** * Creates our own HttpConnectionFactory that changes how the connection is closed to prevent issues with * the MockWebServer going into an endless loop based on the way that HttpClient closes its connection. diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java index 08df2d1b65907..2514065012da7 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java @@ -90,15 +90,21 @@ public class SSLServiceTests extends ESTestCase { @Before public void setup() throws Exception { - // Randomise the keystore type (jks/PKCS#12) - if (randomBoolean()) { - testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); - // The default is to use JKS. Randomly test with explicit and with the default value. - testnodeStoreType = "jks"; - } else { + // Randomise the keystore type (jks/PKCS#12) when possible + if (inFipsJvm()){ testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); testnodeStoreType = randomBoolean() ? "PKCS12" : null; + } else { + if (randomBoolean()) { + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"); + // The default is to use JKS. Randomly test with explicit and with the default value. + testnodeStoreType = "jks"; + } else { + testnodeStore = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12"); + testnodeStoreType = randomBoolean() ? "PKCS12" : null; + } } + logger.info("Using [{}] key/truststore [{}]", testnodeStoreType, testnodeStore); testnodeCert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"); testnodeKey = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem"); @@ -125,7 +131,7 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { MockSecureSettings secureCustomSettings = new MockSecureSettings(); secureCustomSettings.setString("truststore.secure_password", "testclient"); - Settings customTruststoreSettings = Settings.builder() + Settings customTruststoreSettings = getSettingsBuilder() .put("truststore.path", testClientStore) .setSecureSettings(secureCustomSettings) .build(); @@ -147,7 +153,7 @@ public void testThatCustomTruststoreCanBeSpecified() throws Exception { public void testThatSslContextCachingWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -173,7 +179,7 @@ public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_key_password", "testnode1"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) @@ -191,7 +197,7 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { try { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", differentPasswordsStore) .setSecureSettings(secureSettings) .build(); @@ -208,7 +214,7 @@ public void testIncorrectKeyPasswordThrowsException() throws Exception { public void testThatSSLv3IsNotEnabled() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -221,7 +227,7 @@ public void testThatSSLv3IsNotEnabled() throws Exception { } public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); SSLConfiguration configuration = sslService.getSSLConfiguration("xpack.security.transport.ssl"); SSLEngine sslEngine = sslService.createSSLEngine(configuration, null, -1); assertThat(sslEngine, notNullValue()); @@ -230,7 +236,7 @@ public void testThatCreateClientSSLEngineWithoutAnySettingsWorks() throws Except public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.enabled", true) .put("xpack.http.ssl.truststore.path", testclientStore) .setSecureSettings(secureSettings) @@ -246,7 +252,7 @@ public void testCreateWithKeystoreIsValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) @@ -261,7 +267,7 @@ public void testValidForServer() throws Exception { assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.truststore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.truststore.path", testnodeStore) .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -272,7 +278,7 @@ public void testValidForServer() throws Exception { assertFalse(sslService.isConfigurationValidForServerUsage(sslService.getSSLConfiguration("xpack.http.ssl"))); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); - settings = Settings.builder() + settings = getSettingsBuilder() .put("xpack.http.ssl.truststore.path", testnodeStore) .put("xpack.http.ssl.truststore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -289,7 +295,7 @@ public void testGetVerificationMode() throws Exception { assertThat(sslService.getSSLConfiguration("xpack.security.transport.ssl").verificationMode(), is(XPackSettings.VERIFICATION_MODE_DEFAULT)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.verification_mode", "certificate") .put("transport.profiles.foo.xpack.security.ssl.verification_mode", "full") @@ -301,10 +307,10 @@ public void testGetVerificationMode() throws Exception { } public void testIsSSLClientAuthEnabled() throws Exception { - SSLService sslService = new SSLService(Settings.EMPTY, env); + SSLService sslService = new SSLService(getSettingsBuilder().build(), env); assertTrue(sslService.getSSLConfiguration("xpack.security.transport.ssl").sslClientAuth().enabled()); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", false) .put("xpack.security.transport.ssl.client_authentication", "optional") .put("transport.profiles.foo.port", "9400-9410") @@ -318,7 +324,7 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "testnode"); - final Settings globalSettings = Settings.builder() + final Settings globalSettings = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.keystore.path", testnodeStore) .put("xpack.security.http.ssl.keystore.type", testnodeStoreType) @@ -340,7 +346,7 @@ public void testThatHttpClientAuthDefaultsToNone() throws Exception { public void testThatTruststorePasswordIsRequired() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .setSecureSettings(secureSettings) @@ -354,7 +360,7 @@ public void testThatTruststorePasswordIsRequired() throws Exception { } public void testThatKeystorePasswordIsRequired() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testnodeStore) .put("xpack.security.transport.ssl.keystore.type", testnodeStoreType) .build(); @@ -370,7 +376,7 @@ public void testCiphersAndInvalidCiphersWork() throws Exception { ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -389,7 +395,7 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) .setSecureSettings(secureSettings) @@ -404,7 +410,7 @@ public void testInvalidCiphersOnlyThrowsException() throws Exception { public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -420,7 +426,7 @@ public void testThatSSLEngineHasCipherSuitesOrderSet() throws Exception { public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -446,7 +452,7 @@ public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Except public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.transport.ssl.certificate", testnodeCert) .put("xpack.security.transport.ssl.key", testnodeKey) @@ -504,7 +510,7 @@ public void testSSLStrategy() { } public void testGetConfigurationByContextName() throws Exception { - assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsJvm()); + assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", inFipsSunJsseJvm()); final SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(null, null, null); final String[] cipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites(); @@ -529,7 +535,7 @@ public void testGetConfigurationByContextName() throws Exception { final Iterator cipher = Arrays.asList(cipherSuites).iterator(); final MockSecureSettings secureSettings = new MockSecureSettings(); - final Settings.Builder builder = Settings.builder(); + final Settings.Builder builder = getSettingsBuilder(); for (String prefix : contextNames) { if (prefix.startsWith("xpack.security.transport") || prefix.startsWith("xpack.security.http")) { builder.put(prefix + ".enabled", true); @@ -567,7 +573,7 @@ public void testReadCertificateInformation() throws Exception { secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode"); secureSettings.setString("xpack.http.ssl.keystore.secure_password", "testnode"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.enabled", randomBoolean()) .put("xpack.security.transport.ssl.keystore.path", jksPath) .put("xpack.security.transport.ssl.truststore.path", jksPath) @@ -771,7 +777,7 @@ public void testThatSSLContextWithoutSettingsWorks() throws Exception { public void testThatSSLContextTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); @@ -804,7 +810,7 @@ public void testThatSSLIOSessionStrategyWithoutSettingsWorks() throws Exception public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testclient"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.security.transport.ssl.keystore.path", testclientStore) .setSecureSettings(secureSettings) .build(); @@ -820,6 +826,7 @@ public void testThatSSLIOSessionStrategyTrustsJDKTrustedCAs() throws Exception { } public void testWrapTrustManagerWhenDiagnosticsEnabled() { + assumeFalse("We cannot enable diagnostic trust manager in FIPS mode with SunJSSE", inFipsSunJsseJvm()); final Settings.Builder builder = Settings.builder(); if (randomBoolean()) { // randomly select between default, and explicit enabled builder.put("xpack.security.ssl.diagnose.trust", true); @@ -851,6 +858,7 @@ public void testDontWrapTrustManagerByDefaultWhenInFips(){ } public void testWrapTrustManagerWhenInFipsAndExplicitlyConfigured(){ + assumeFalse("We cannot enable diagnostic trust manager in FIPS mode with SunJSSE", inFipsSunJsseJvm()); final Settings.Builder builder = Settings.builder(); builder.put("xpack.security.fips_mode.enabled", true); builder.put("xpack.security.ssl.diagnose.trust", true); @@ -902,6 +910,14 @@ private static void privilegedConnect(CheckedRunnable runnable) throw } } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } + private static final class MockSSLSession implements SSLSession { private final byte[] id; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java index abc468d05dc76..98523c952a811 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java @@ -246,7 +246,7 @@ protected Settings nodeSettings(int nodeOrdinal) { builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO); builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings.Builder customBuilder = Settings.builder().put(customSettings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java index ec612a9905486..5fb2ec414bb4e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySingleNodeTestCase.java @@ -168,7 +168,7 @@ protected Settings nodeSettings() { builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); builder.put("transport.type", "security4"); builder.put("path.home", customSecuritySettingsSource.nodePath(0)); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings.Builder customBuilder = Settings.builder().put(customSettings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 66aff9abcb4d6..ef0a127ad5aeb 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -148,7 +148,7 @@ public void testBootstrapCheckWithClosedSecuredSetting() throws Exception { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 57f34496fc964..d7a01760e26ee 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -102,7 +102,7 @@ private Collection createComponents(Settings testSettings, SecurityExten .put("xpack.security.enabled", true) .put(testSettings) .put("path.home", createTempDir()); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings settings = builder.build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 8104ddb98c469..bc085f5fc008e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -94,7 +94,7 @@ public void setup() throws Exception { .put("path.home", createTempDir()) .build(); Settings.Builder sslSettingsBuilder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { sslSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } final Settings sslSettings = sslSettingsBuilder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java index 40e6f7510f02e..c8820e7add956 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java @@ -176,7 +176,7 @@ public void testMissingPasswordParameter() { private Settings.Builder getSettingsBuilder() { Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java index 52f33087959f2..eae4735246f37 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/CommandLineHttpClientTests.java @@ -72,7 +72,7 @@ public void testCommandLineHttpClientCanExecuteAndReturnCorrectResultUsingSSLSet public void testGetDefaultURLFailsWithHelpfulMessage() { Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } Settings settings = builder @@ -93,7 +93,7 @@ private Settings.Builder getHttpSslSettings() { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java index 997a1ed10157f..bd06aa8aef45c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java @@ -144,7 +144,7 @@ public void start() throws Exception { threadPool = new TestThreadPool("active directory realm tests"); resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } globalSettings = builder.put("path.home", createTempDir()).build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index f8a958a2ad864..abb18e0503dca 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -100,7 +100,7 @@ public void init() throws Exception { threadPool = new TestThreadPool("ldap realm tests"); resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } defaultGlobalSettings = builder.put("path.home", createTempDir()).build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java index dd6b84162f255..c5da34a478c67 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java @@ -61,7 +61,7 @@ public void setup() throws Exception { ldapCaPath = createTempFile(); Files.copy(origCa, ldapCaPath, StandardCopyOption.REPLACE_EXISTING); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } globalSettings = builder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java index 65eb36aeba73b..fac9e62caf800 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapTestUtils.java @@ -13,6 +13,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings; import org.elasticsearch.xpack.core.ssl.SSLConfiguration; import org.elasticsearch.xpack.core.ssl.SSLService; @@ -21,6 +22,8 @@ import java.nio.file.Path; +import static org.elasticsearch.test.ESTestCase.inFipsSunJsseJvm; + public class LdapTestUtils { private LdapTestUtils() { @@ -31,6 +34,9 @@ public static LDAPConnection openConnection(String url, String bindDN, String bi Settings.Builder builder = Settings.builder().put("path.home", LuceneTestCase.createTempDir()); MockSecureSettings secureSettings = new MockSecureSettings(); builder.setSecureSettings(secureSettings); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } // fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); builder.put("xpack.security.authc.realms.ldap.foo.ssl.verification_mode", VerificationMode.FULL); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java index 99eec57292ddc..93be7b8778b3a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactoryTests.java @@ -64,7 +64,7 @@ public void init() throws Exception { * verification tests since a re-established connection does not perform hostname verification. */ Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } globalSettings = builder diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java index 52427bcc86c85..0f6af5ae2c282 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java @@ -172,7 +172,7 @@ public static Settings buildLdapSettings(RealmConfig.RealmIdentifier realmId, St if (serverSetType != null) { builder.put(getFullSettingKey(realmId, LdapLoadBalancingSettings.LOAD_BALANCE_TYPE_SETTING), serverSetType.toString()); } - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return builder.build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java index c7c8fc0926b30..d639f7dd41494 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java @@ -294,7 +294,7 @@ private TestSessionFactory createSessionFactory(LdapLoadBalancing loadBalancing) RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); Settings.Builder builder = Settings.builder(); - if (inFipsJvm()) { + if (inFipsSunJsseJvm()) { builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); } return new TestSessionFactory(config, new SSLService(builder.build(), TestEnvironment.newEnvironment(config.settings())), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java index 55a50b6091c6b..b6a4b6a9d48b5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java @@ -67,7 +67,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ldap", "response_settings"); final Path pathHome = createTempDir(); { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "10s") .put("path.home", pathHome) .build(); @@ -78,7 +78,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { assertThat(options.getResponseTimeoutMillis(), is(equalTo(10000L))); } { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "7s") .put("path.home", pathHome) .build(); @@ -91,7 +91,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { .getConcreteSettingForNamespace("response_settings")}); } { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING), "11s") .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING), "6s") .put("path.home", pathHome) @@ -105,7 +105,7 @@ public void testSessionFactoryWithResponseTimeout() throws Exception { ".authc.realms.ldap.response_settings.timeout.response] may not be used at the same time")); } { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(getFullSettingKey(realmId, SessionFactorySettings.TIMEOUT_LDAP_SETTING), "750ms") .put("path.home", pathHome) .build(); @@ -197,7 +197,7 @@ public void session(String user, SecureString password, ActionListener messages = new ArrayList<>(); server.addListener(messages::add); try { - final Settings.Builder settings = Settings.builder() + final Settings.Builder settings = getSettingsBuilder() .put("xpack.notification.email.ssl.truststore.path", getDataPath("test-smtp.p12")); final MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.notification.email.ssl.truststore.secure_password", "test-smtp"); @@ -156,5 +157,13 @@ private List getAllCauses(Exception exception) { return allCauses; } + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } + } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java index 439eb45f0159f..dc87a0ddf29ff 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookActionTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.watcher.actions.Action; import org.elasticsearch.xpack.core.watcher.actions.Action.Result.Status; @@ -213,7 +214,11 @@ private WebhookActionFactory webhookFactory(HttpClient client) { } public void testThatSelectingProxyWorks() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Settings.Builder settingsBuilder = Settings.builder(); + if (inFipsSunJsseJvm()) { + settingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + Environment environment = TestEnvironment.newEnvironment(settingsBuilder.put("path.home", createTempDir()).build()); try (HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService()); diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java index 9d8005344e8b2..1163967be4584 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/webhook/WebhookHttpsIntegrationTests.java @@ -53,13 +53,16 @@ public class WebhookHttpsIntegrationTests extends AbstractWatcherIntegrationTest protected Settings nodeSettings(int nodeOrdinal) { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); - return Settings.builder() + Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .put("xpack.http.ssl.keystore.password", "testnode") - .putList("xpack.http.ssl.supported_protocols", getProtocols()) - .build(); + .putList("xpack.http.ssl.supported_protocols", getProtocols()); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder.build(); } @Before diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java index 2e0c8d2df6e1f..ba843c714b6b6 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpClientTests.java @@ -78,7 +78,7 @@ public class HttpClientTests extends ESTestCase { private MockWebServer webServer = new MockWebServer(); private HttpClient httpClient; - private Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + private Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); @Before public void init() throws Exception { @@ -188,7 +188,7 @@ public void testHttps() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.certificate_authorities", trustedCertPath) .setSecureSettings(secureSettings) .build(); @@ -196,7 +196,7 @@ public void testHttps() throws Exception { secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode"); - Settings settings2 = Settings.builder() + Settings settings2 = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) @@ -213,7 +213,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.crt"); Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-no-subjaltname.pem"); Settings settings; - Settings.Builder builder = Settings.builder() + Settings.Builder builder = getSettingsBuilder() .put("xpack.http.ssl.certificate_authorities", certPath); if (inFipsJvm()) { //Can't use TrustAllConfig in FIPS mode @@ -226,7 +226,7 @@ public void testHttpsDisableHostnameVerification() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it only defines a truststore secureSettings.setString("xpack.security.http.ssl.secure_key_passphrase", "testnode-no-subjaltname"); - Settings settings2 = Settings.builder() + Settings settings2 = getSettingsBuilder() .put("xpack.security.http.ssl.enabled", true) .put("xpack.security.http.ssl.key", keyPath) .put("xpack.security.http.ssl.certificate", certPath) @@ -244,7 +244,7 @@ public void testHttpsClientAuth() throws Exception { Path keyPath = getDataPath("/org/elasticsearch/xpack/security/keystore/testnode.pem"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) @@ -300,7 +300,8 @@ public void testHttpResponseWithAnyStatusCodeCanReturnBody() throws Exception { @Network public void testHttpsWithoutTruststore() throws Exception { - try (HttpClient client = new HttpClient(Settings.EMPTY, new SSLService(Settings.EMPTY, environment), null, mockClusterService())) { + try (HttpClient client = new HttpClient(Settings.EMPTY, new SSLService(getSettingsBuilder().build(), environment), null, + mockClusterService())) { // Known server with a valid cert from a commercial CA HttpRequest.Builder request = HttpRequest.builder("www.elastic.co", 443).scheme(Scheme.HTTPS); HttpResponse response = client.execute(request.build()); @@ -315,7 +316,7 @@ public void testThatProxyCanBeConfigured() throws Exception { try (MockWebServer proxyServer = new MockWebServer()) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) .build(); @@ -381,7 +382,7 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { MockSecureSettings serverSecureSettings = new MockSecureSettings(); // We can't use the client created above for the server since it is only a truststore serverSecureSettings.setString("xpack.http.ssl.secure_key_passphrase", "testnode"); - Settings serverSettings = Settings.builder() + Settings serverSettings = getSettingsBuilder() .put("xpack.http.ssl.key", keyPath) .put("xpack.http.ssl.certificate", certPath) .putList("xpack.http.ssl.supported_protocols", getProtocols()) @@ -395,7 +396,7 @@ public void testProxyCanHaveDifferentSchemeThanRequest() throws Exception { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort()) .put(HttpSettings.PROXY_SCHEME.getKey(), "https") @@ -427,7 +428,7 @@ public void testThatProxyCanBeOverriddenByRequest() throws Exception { try (MockWebServer proxyServer = new MockWebServer()) { proxyServer.enqueue(new MockResponse().setResponseCode(200).setBody("fullProxiedContent")); proxyServer.start(); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.PROXY_HOST.getKey(), "localhost") .put(HttpSettings.PROXY_PORT.getKey(), proxyServer.getPort() + 1) .put(HttpSettings.PROXY_HOST.getKey(), "https") @@ -451,7 +452,7 @@ public void testThatProxyCanBeOverriddenByRequest() throws Exception { } public void testThatProxyConfigurationRequiresHostAndPort() { - Settings.Builder settings = Settings.builder(); + Settings.Builder settings = getSettingsBuilder(); if (randomBoolean()) { settings.put(HttpSettings.PROXY_HOST.getKey(), "localhost"); } else { @@ -552,7 +553,7 @@ public void testMaxHttpResponseSize() throws Exception { String data = randomAlphaOfLength(randomBytesLength); webServer.enqueue(new MockResponse().setResponseCode(200).setBody(data)); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.MAX_HTTP_RESPONSE_SIZE.getKey(), new ByteSizeValue(randomBytesLength - 1, ByteSizeUnit.BYTES)) .build(); @@ -631,7 +632,7 @@ public void testThatUrlDoesNotContainQuestionMarkAtTheEnd() throws Exception { public void testThatWhiteListingWorks() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200).setBody("whatever")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -641,7 +642,7 @@ public void testThatWhiteListingWorks() throws Exception { } public void testThatWhiteListBlocksRequests() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()) .build(); @@ -667,7 +668,7 @@ public void testThatWhiteListBlocksRedirects() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200)); } - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -688,7 +689,7 @@ public void testThatWhiteListingWorksForRedirects() throws Exception { } webServer.enqueue(new MockResponse().setResponseCode(200).setBody("shouldBeRead")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri() + "*").build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri() + "*").build(); try (HttpClient client = new HttpClient(settings, new SSLService(environment.settings(), environment), null, mockClusterService())) { @@ -704,7 +705,7 @@ public void testThatWhiteListingWorksForRedirects() throws Exception { public void testThatWhiteListReloadingWorks() throws Exception { webServer.enqueue(new MockResponse().setResponseCode(200).setBody("whatever")); - Settings settings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), "example.org").build(); + Settings settings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), "example.org").build(); ClusterService clusterService = mock(ClusterService.class); ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(HttpSettings.getSettings())); when(clusterService.getClusterSettings()).thenReturn(clusterSettings); @@ -719,7 +720,7 @@ public void testThatWhiteListReloadingWorks() throws Exception { ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> client.execute(request)); assertThat(e.getMessage(), containsString("is not whitelisted")); - Settings newSettings = Settings.builder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); + Settings newSettings = getSettingsBuilder().put(HttpSettings.HOSTS_WHITELIST.getKey(), getWebserverUri()).build(); clusterSettings.applySettings(newSettings); HttpResponse response = client.execute(request); @@ -790,4 +791,12 @@ private static List getProtocols() { } return XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS; } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java index 3451c771e3e60..1e46eb6ba3884 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpConnectionTimeoutTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.junit.annotations.Network; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import static org.elasticsearch.xpack.watcher.common.http.HttpClientTests.mockClusterService; @@ -24,7 +25,7 @@ public class HttpConnectionTimeoutTests extends ESTestCase { @Network public void testDefaultTimeout() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.EMPTY, new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -49,7 +50,7 @@ public void testDefaultTimeout() throws Exception { @Network public void testDefaultTimeoutCustom() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.builder() .put("xpack.http.default_connection_timeout", "5s").build(), new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -75,7 +76,7 @@ public void testDefaultTimeoutCustom() throws Exception { @Network public void testTimeoutCustomPerRequest() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpClient httpClient = new HttpClient(Settings.builder() .put("xpack.http.default_connection_timeout", "10s").build(), new SSLService(environment.settings(), environment), null, mockClusterService()); @@ -99,4 +100,12 @@ public void testTimeoutCustomPerRequest() throws Exception { // expected } } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java index e534a2a90757e..4e56914deb354 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/common/http/HttpReadTimeoutTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.http.MockResponse; import org.elasticsearch.test.http.MockWebServer; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ssl.SSLService; import org.junit.After; import org.junit.Before; @@ -38,7 +39,7 @@ public void cleanup() throws Exception { } public void testDefaultTimeout() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.POST) .path("/") @@ -59,7 +60,7 @@ null, mockClusterService())) { } public void testDefaultTimeoutCustom() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .method(HttpMethod.POST) @@ -82,7 +83,7 @@ null, mockClusterService())) { } public void testTimeoutCustomPerRequest() throws Exception { - Environment environment = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment environment = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); HttpRequest request = HttpRequest.builder("localhost", webServer.getPort()) .readTimeout(TimeValue.timeValueSeconds(3)) @@ -104,4 +105,12 @@ null, mockClusterService())) { assertThat(timeout.seconds(), lessThan(5L)); } } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java index 22515e2d793ff..cbf8f8c0fc071 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java @@ -18,6 +18,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapMetaDataResolverSettings; @@ -90,6 +91,9 @@ public void initializeSslSocketFactory() throws Exception { */ MockSecureSettings mockSecureSettings = new MockSecureSettings(); Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } // fake realms so ssl will get loaded builder.put("xpack.security.authc.realms.ldap.foo.ssl.truststore.path", truststore); mockSecureSettings.setString("xpack.security.authc.realms.ldap.foo.ssl.truststore.secure_password", "changeit"); diff --git a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java index de1183db19391..ff7980dc4b9f5 100644 --- a/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/OpenLdapUserSearchSessionFactoryTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.test.OpenLdapTests; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings; @@ -56,7 +57,7 @@ public void init() { * If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSettings = Settings.builder() + globalSettings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.oldap-test.ssl.certificate_authorities", caPath) .build(); @@ -140,4 +141,12 @@ private LdapSession unauthenticatedSession(SessionFactory factory, String userna factory.unauthenticatedSession(username, future); return future.actionGet(); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java b/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java index 6892f640415c4..e2d6f4f2fd150 100644 --- a/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java +++ b/x-pack/qa/security-client-tests/src/test/java/org/elasticsearch/xpack/security/qa/SecurityTransportClientIT.java @@ -18,6 +18,7 @@ import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.core.XPackClientPlugin; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import java.util.Collection; @@ -103,12 +104,14 @@ TransportClient transportClient(Settings extraSettings) { TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put(extraSettings) - .put("cluster.name", clusterName) - .build(); + .put("cluster.name", clusterName); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } - TransportClient client = new PreBuiltXPackTransportClient(settings); + TransportClient client = new PreBuiltXPackTransportClient(builder.build()); client.addTransportAddress(publishAddress); return client; } diff --git a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java index 4487187a80b6d..cb944ffd9c1e0 100644 --- a/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java +++ b/x-pack/qa/security-example-spi-extension/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java @@ -23,6 +23,7 @@ import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; import org.elasticsearch.xpack.core.XPackClientPlugin; +import org.elasticsearch.xpack.core.XPackSettings; import java.util.Collection; import java.util.Collections; @@ -78,13 +79,15 @@ public void testTransportClient() throws Exception { TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put("cluster.name", clusterName) .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER) - .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()) - .build(); - try (TransportClient client = new PreBuiltXPackTransportClient(settings)) { + .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { client.addTransportAddress(publishAddress); ClusterHealthResponse response = client.admin().cluster().prepareHealth().execute().actionGet(); assertThat(response.isTimedOut(), is(false)); @@ -98,13 +101,15 @@ public void testTransportClientWrongAuthentication() throws Exception { TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress(); String clusterName = nodeInfos.getClusterName().value(); - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put("cluster.name", clusterName) .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath().toString()) .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, CustomRealm.KNOWN_USER + randomAlphaOfLength(1)) - .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()) - .build(); - try (TransportClient client = new PreBuiltXPackTransportClient(settings)) { + .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, CustomRealm.KNOWN_PW.toString()); + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { client.addTransportAddress(publishAddress); client.admin().cluster().prepareHealth().execute().actionGet(); fail("authentication failure should have resulted in a NoNodesAvailableException"); diff --git a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java index 0111aeff4cca2..d4e699d7270a0 100644 --- a/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java +++ b/x-pack/qa/security-migrate-tests/src/test/java/org/elasticsearch/xpack/security/MigrateToolTestCase.java @@ -9,11 +9,13 @@ import org.apache.logging.log4j.LogManager; import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.Client; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.After; import org.junit.AfterClass; @@ -25,6 +27,7 @@ import java.nio.file.Path; import java.util.concurrent.atomic.AtomicInteger; +import static org.elasticsearch.test.ESTestCase.FIPS_SYSPROP; import static org.hamcrest.Matchers.notNullValue; /** @@ -68,14 +71,16 @@ public abstract class MigrateToolTestCase extends LuceneTestCase { private static Client startClient(Path tempDir, TransportAddress... transportAddresses) { logger.info("--> Starting Elasticsearch Java TransportClient {}, {}", transportAddresses, tempDir); - Settings clientSettings = Settings.builder() + Settings.Builder clientSettingsBuilder = Settings.builder() .put("cluster.name", "qa_migrate_tests_" + counter.getAndIncrement()) .put("client.transport.ignore_cluster_name", true) .put("path.home", tempDir) - .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password") - .build(); - - TransportClient client = new PreBuiltXPackTransportClient(clientSettings).addTransportAddresses(transportAddresses); + .put(SecurityField.USER_SETTING.getKey(), "transport_user:x-pack-test-password"); + // Do not replace this with `inFipsSunJsseJvm(), see https://github.com/elastic/elasticsearch/issues/52391 + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) { + clientSettingsBuilder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + TransportClient client = new PreBuiltXPackTransportClient(clientSettingsBuilder.build()).addTransportAddresses(transportAddresses); Exception clientException = null; try { logger.info("--> Elasticsearch Java TransportClient started"); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java index d2c79d8882f46..57ed673111577 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ADLdapUserSearchSessionFactoryTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession; @@ -37,14 +38,14 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory @Before public void init() throws Exception { Path certPath = getDataPath("support/smb_ca.crt"); - Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build()); + Environment env = TestEnvironment.newEnvironment(getSettingsBuilder().put("path.home", createTempDir()).build()); /* * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext. * If we re-use an SSLContext, previously connected sessions can get re-established which breaks hostname * verification tests since a re-established connection does not perform hostname verification. */ - globalSettings = Settings.builder() + globalSettings = getSettingsBuilder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.ad-as-ldap-test.ssl.certificate_authorities", certPath) .build(); @@ -135,4 +136,12 @@ private LdapSession unauthenticatedSession(SessionFactory factory, String userna factory.unauthenticatedSession(username, future); return future.actionGet(); } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java index df8b23d9381a1..d65d46cff683f 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/AbstractActiveDirectoryTestCase.java @@ -15,6 +15,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope; @@ -82,7 +83,9 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO * verification tests since a re-established connection does not perform hostname verification. */ Settings.Builder builder = Settings.builder().put("path.home", createTempDir()); - + if (inFipsSunJsseJvm()){ + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } // fake realms so ssl will get loaded builder.putList("xpack.security.authc.realms.active_directory.foo.ssl.certificate_authorities", certificatePaths); builder.put("xpack.security.authc.realms.active_directory.foo.ssl.verification_mode", VerificationMode.FULL); diff --git a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java index b122404507bc6..835897b486d64 100644 --- a/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java +++ b/x-pack/qa/third-party/active-directory/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings; @@ -182,7 +183,7 @@ public void testAuthenticateBaseUserSearch() throws Exception { } public void testAuthenticateBaseGroupSearch() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.ONE_LEVEL, false)) .put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_BASEDN_SETTING, @@ -244,7 +245,7 @@ public void testAuthenticateWithSAMAccountName() throws Exception { } public void testCustomUserFilter() throws Exception { - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.SUB_TREE, false)) .put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING), @@ -270,7 +271,7 @@ public void testStandardLdapConnection() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - final Settings settings = Settings.builder() + final Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) @@ -297,7 +298,7 @@ public void testHandlingLdapReferralErrors() throws Exception { String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths) @@ -325,7 +326,7 @@ public void testStandardLdapWithAttributeGroups() throws Exception { String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com"; String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com"; final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test"); - Settings settings = Settings.builder() + Settings settings = getSettingsBuilder() .put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase, LdapSearchScope.SUB_TREE, null, false)) .putList("ssl.certificate_authorities", certificatePaths) @@ -371,7 +372,7 @@ private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean ho } private Settings buildAdSettings(String ldapUrl, String adDomainName, boolean hostnameVerification, boolean useBindUser) { - Settings.Builder builder = Settings.builder() + Settings.Builder builder = getSettingsBuilder() .put(getFullSettingKey(REALM_ID, SessionFactorySettings.URLS_SETTING), ldapUrl) .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING), adDomainName) .put(getFullSettingKey(REALM_NAME, ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT) @@ -430,4 +431,12 @@ static ActiveDirectorySessionFactory getActiveDirectorySessionFactory(RealmConfi } return sessionFactory; } + + private Settings.Builder getSettingsBuilder() { + Settings.Builder builder = Settings.builder(); + if (inFipsSunJsseJvm()) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + return builder; + } } diff --git a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java index e8d886330ae04..ffb63a62c9e8a 100644 --- a/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java +++ b/x-pack/qa/transport-client-tests/src/test/java/org/elasticsearch/xpack/ESXPackSmokeClientTestCase.java @@ -9,12 +9,14 @@ import org.apache.logging.log4j.LogManager; import org.apache.lucene.util.LuceneTestCase; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.Client; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient; +import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; @@ -29,6 +31,7 @@ import java.util.concurrent.atomic.AtomicInteger; import static com.carrotsearch.randomizedtesting.RandomizedTest.randomAsciiOfLength; +import static org.elasticsearch.test.ESTestCase.FIPS_SYSPROP; import static org.hamcrest.Matchers.notNullValue; /** @@ -67,6 +70,10 @@ private static Client startClient(Path tempDir, TransportAddress... transportAdd .put("client.transport.ignore_cluster_name", true) .put("xpack.security.enabled", false) .put(Environment.PATH_HOME_SETTING.getKey(), tempDir); + // Do not replace this with `inFipsSunJsseJvm(), see https://github.com/elastic/elasticsearch/issues/52391 + if (Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP)) && JavaVersion.current().getVersion().get(0) == 8) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } TransportClient client = new PreBuiltXPackTransportClient(builder.build()) .addTransportAddresses(transportAddresses); diff --git a/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java b/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java index f9808ce54faac..558483507a306 100644 --- a/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java +++ b/x-pack/transport-client/src/test/java/org/elasticsearch/xpack/client/PreBuiltXPackTransportClientTests.java @@ -6,9 +6,11 @@ package org.elasticsearch.xpack.client; import com.carrotsearch.randomizedtesting.RandomizedTest; +import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.client.transport.TransportClient; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityField; import org.junit.Test; @@ -21,10 +23,14 @@ public class PreBuiltXPackTransportClientTests extends RandomizedTest { @Test public void testPluginInstalled() { - try (TransportClient client = new PreBuiltXPackTransportClient(Settings.EMPTY)) { + Settings.Builder builder = Settings.builder(); + if (Boolean.parseBoolean(System.getProperty("tests.fips.enabled")) && JavaVersion.current().getVersion().get(0) == 8) { + builder.put(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.getKey(), false); + } + try (TransportClient client = new PreBuiltXPackTransportClient(builder.build())) { Settings settings = client.settings(); assertEquals(SecurityField.NAME4, NetworkModule.TRANSPORT_TYPE_SETTING.get(settings)); } } -} \ No newline at end of file +}